Virtualized volume level security

ABSTRACT

Implementations and methods herein provide a networked storage system including a plurality of physical storage devices configured to store data on a plurality of virtualized volumes, a key store configured to store a plurality of encryption keys, and a security manager configured to encrypt data stored on each of the plurality of virtualized volumes using a different key.

CROSS-REFERENCE TO RELATED APPLICATION

This application is related to and incorporates in its entirety, U.S.Non-Provisional patent application Ser. No. 15/432,657 entitled“Virtualized Volume Level Messaging” and filed concurrently on 14 Feb.2017.

BACKGROUND

Cloud data security schemes can employ a variety of techniques toprotect data. Such techniques may include data encryption and userauthentication. Both encryption and authentication may employ the use ofkeys to provide increased security. For example, a key may be used toencrypt data, or a key may be used to authenticate a user requestingaccess to network resources. The key may be shared among multiple usersor devices.

SUMMARY

Implementations and methods herein provide a networked storage systemincluding a plurality of virtualized volumes, data stored on each of theplurality of virtualized volumes being encrypted using a different key.

An implementation further provides a networked data storage systemincluding a plurality of virtualized volumes, data stored on each of theplurality of virtualized volumes being encrypted using a different keyand a security manager configured to receive a request from a client tostore data to a network resource comprising a plurality of virtualizedvolumes and to determine an identity of a target virtualized volume, thesecurity manager is further configured to retrieve an encryption keyfrom a key store to encrypt data on the one of the plurality ofvirtualized volumes.

An alternative implementation further provides a method of securecommunication with storage devices, including receiving, at avirtualized volume security manager, a request to store data on one of aplurality of virtualized volumes, determining a target volume level,retrieving an encryption key associated with the target volume level,encrypting the data using the encryption key, and storing the data onone or more of a plurality of physical drives associated with the targetvolume level.

These and various other features and advantages will be apparent from areading of the following Detailed Description.

BRIEF DESCRIPTIONS OF THE DRAWINGS

FIG. 1 illustrates an example implementation of a networked storagesystem using virtualized security structure disclosed herein.

FIG. 2 illustrates example operations for using the networked storagesystem disclosed herein.

FIG. 3 illustrates alternate example operations for using the networkedstorage system disclosed herein.

FIG. 4 illustrates example computing device for implementing thevirtualized volume level security system disclosed herein.

DETAILED DESCRIPTION

In the following description, for the purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the various implementations described herein. Whilevarious features are ascribed to particular implementations, it shouldbe appreciated that the features described with respect to oneimplementation may be incorporated with other implementations as well.By the same token, however, no single feature or features of anydescribed implementation should be considered essential, as otherimplementations may omit such features.

As more and more data is stored remotely (e.g., in the cloud) ratherthan locally (e.g., a user device), data security is increasinglyimportant. Cloud security schemes can employ a variety of techniques toprotect data, such as encryption, authorization, password systems, etc.Data encryption generally involves the transformation of input data intoan encrypted output using a selected cryptographic algorithm, functionor operation. The algorithm/function may utilize one or more keys toeffect the transformation from input data (e.g., plain text) to outputdata (e.g., cypher text). If encrypted data is to be sent from a firstuser/device to a second user or device, then the second user or devicemust have knowledge of the one or more keys to decrypt the data suchthat it may be utilized.

In secure storage systems, data security schemes are enforced at thestorage device level in a variety of ways. For example, a user may firstrequire authentication before the user is allowed access to the securestorage systems. Multi-device storage systems may provide large scalestorage capabilities in a distributed computing environment (e.g., cloudbased object storage systems, RAID storage system, large databaseprocessing systems, etc.). Multi-device storage systems may utilizeencrypted data at the storage device level and authentication passwordsthat can be used between the storage device and a host to identify andauthenticate a data exchange.

Implementations described herein provide an enhanced security systemutilizing virtualized volume level security for remote data storagesystems. One or more implementations disclosed herein provide forvirtualized volume level security where each virtual volume of data on aserver, such as a cloud server, uses a different key for encrypting datafor that volume. Thus, for example, a cloud server may be implementedusing ten different physical storage drives and contain two virtualvolumes spread across the ten different physical storage devices. Insuch a case, the data stored on the first logical volume is encryptedusing a first key and the data stored on the second volume is encryptedusing a second key, with the first key being different than the secondkey.

In an alternative implementation of the system providing virtualizedvolume level security, messaging to each virtual volume is controlledusing a different key. Thus, for example a cloud server may beimplemented using twenty different physical storage drives and containtwo virtual volumes spread across the ten different physical storagedevices with a storage controller configured to access the data on thecloud server. In such a case, messages between the storage controllerand the first volume may be controlled using a first key and themessages between the storage controller and the second volume may becontrolled using a second key, with the first key being different thanthe second key.

Specific implementations disclosed herein provide the ability to securevolumes or logical unit numbers (LUNs) and its associated data whereeach volume may be virtualized in that its associated data is splitamong many drives.

FIG. 1 illustrates an example implementation of a networked storagesystem 100 using a virtualized security structure disclosed herein.Specifically, the networked storage system 100 includes a number of userdevices 102 configured use a network 104 to access data on a remote datastorage system 106. The remote data storage system 106 may be, forexample, a cloud server that can be accessed by the network 104 such asthe Internet. In an implementation disclosed herein, the remote datastorage system 106 may include a plurality of physical storage devicesuch as drives 130 (130 a, 130 b, 130 c, etc.). The drives 130 may beimplemented using storage devices such as magnetic disc drives, opticaldisc drives, tape drives, flash drives, solid-state storage device, etc.In one implementation of the networked storage system 100, the drives130 may be self-encrypted drives (SED). However, in an alternativeimplementation, the drives 130 may not be SEDs. In yet alternativeimplementation, the some of the drives 130 may be SED while the othersof the drives 130 may not be SED. While such an implementation may havethe drives 130 as SED, it is not a requirement and 130 may also be anon-SED drive.

The networked storage system 100 includes a storage access controller120 that may be used to control access to data on a remote data storagesystem 106. In one implementation, the storage access controller 120 maybe implemented on a same server or cloud that hosts the remote datastorage system 106. However, in an alternative implementation, thestorage access controller 120 may be implemented on a different serveror cloud compared to the server that hosts the remote data storagesystem 106.

In the illustrated implementation of the networked storage system 100,the remote data storage system 106 is configured to use virtualizedvolumes for storing data on the drives 130. For example, at least two ofthe virtualized volumes V1 124 a and V2 124 b are illustrated herein.The virtualized volumes V1 124 a and V2 124 b may also be referred to aslogical unit numbers (LUNs). As illustrated, each of the virtualizedvolumes 124 are mapped to one or more of the drives 130. For example,the Volume V2 124 b is illustrated to be mapped to a storage area XX-YYof drive 130 a, to two storage areas AA-CC and VV-ZZ of drive 130 b, andto a storage area QQ-SS of the drive 130 c. The storage accesscontroller 120 may store and update such mapping. In an implementationof the networked storage system 100, the virtualized volumes 124 may bethinly provisioned in that each of the virtualized volumes 124 may havelarger virtual storage capacity than the physical storage capacity ofthe drives 130. In one implementation, the storage access controller 120may be configured to allocate one virtualized volume to one client.Thus, for example, a client represented by the user 102 b may beallocated volume V2 124 b. In such implementation, communications 110 afrom the user device 102 a are directed to volume V2 124 b. Similarly,communications 110 b from the user device 102 b may be directed tovolume V2 124 a. Thus, data from a client may be dispersed among morethan one of the drives 130. On the other hand, each of the drives 130may store data from more than one client. Such virtualized allocation ofdata over a plurality of devices may make the data on the drives 130vulnerable to a number of security threats. For example, a client Ausing the user device 102 a may store corrupted data on a storage regionXX-YY of the drive 130 a such that the corrupted data may affect datafrom a client B stored on drive 130 a.

In an implementation of the networked storage system 100, the storageaccess controller 120 also includes a virtualized volume securitymanager 122 (referred to hereinafter as the “security manager” 122) thatassigns a different key for storing data to each one of the volumes 124.The security manager 122 may work with a key store 140 configured on thestorage access controller 120 to generate encryption keys. The key store140 may be used to generate encryption keys that may be used to encryptdata stored on the volumes 124. The key store 140 may be locallyimplemented on the storage access controller 120 or alternatively it maybe implemented externally to the storage access controller 120. Theimplementation discloses such a remote key store 140 a that may beimplemented on a remote data server. In such an implementation, thevirtualized volume security manager 122 may make calls to the remote keystore 140 a to create and retrieve keys that may be tied to devices 124a, 124 b, etc.

For example, the security manager 122 may use a first encryption keywhen storing data on the volume V1 124 a and a second encryption keywhen storing data to the volume V2 124 b. Thus, when a client A using auser device 102 a requests for data storage on volume V2 124 b, thesecurity manager 122 encrypts the data using the first encryption keyirrespective of whether the data is going to be stored on drive 130 a,130 b, or 130 c. On the other hand, if a client B using the user device102 b requests for data storage on volume V1 124 a, the security manager122 encrypts the data using the second encryption key irrespective ofwhether the data is going to be stored on drive 130 a, 130 b, or 130 c.

As a result, different sections of any of the drives 130 are encryptedusing different encryption keys. For example, a storage area 132 a onthe drive 130 a may be encrypted using the second key that is used forencrypting data of the volume V2 124 b whereas a storage area 132 b onthe same drive 130 a may be encrypted using the first key that is usedfor encrypting data of the volume V1 124 a.

In one implementation of the networked storage system 100, theencryption keys used for encrypting data on particular volume of theremote data storage system 106 may be provided by the client that isallocated on a particular volume. For example, the client A using theuser device 102 a may provide the second encryption key to the storageaccess controller 120 together with the request 110 a for storage orretrieval of data from volume V2 124 b. Similarly, the client B usingthe user device 102 b may provide the first encryption key to thestorage access controller 120 together with the request 110 b forstorage or retrieval of data from volume V1 124 a. In such animplementation, unless the storage access controller 120 receives arequest for access to the virtualized volumes 124 with a properencryption key, the storage access controller 120 is not capable ofdecrypting the data from the target volumes. In one implementation, ifthe storage access controller 120 is not provided the correct encryptionkey, it does not return any data at all to the requesting device andsends a message that the encryption key is not correct. Alternatively,in some implementation, the storage access controller 120 returnsunencrypted data to the requesting device.

In one implementation, the storage access controller 120 extracts thedata from a particular storage region of the remote data storage system106 without decrypting such data, but sends the encrypted data to theclient. In such a case, the client at a user device 102 will be able todecrypt and use the data only if they have the decryption key. Theimplementation of the networked storage system 100 in effect results inthe virtualized volumes 124 a, 124 b to behave like self-encrypteddrives (SEDs), even when the drives 130 may or may not be SEDs.

FIG. 2 illustrates example operations 200 for using the networkedstorage system disclosed herein to store data to various drives ofvirtualized volumes. Specifically, the operations 200 may be implementedby a virtualized volume security manager such as those described herein.An operation 202 receives a request for storing data to a networkedresource, such as a cloud server having various virtualized volumes. Theoperation 202 may receive a request, such as a request from a clientdevice connected with the security manager via the Internet. Anoperation 210 determines which of the various volumes is the target ofthe data storage request.

For example, the network resource may be a cloud storage system with tendrives and one hundred virtualized volumes implemented on the ten drivessuch as way that each volume may be allocated storage area on one ormore of the ten drives. The operation 210 may determine that the targetvolume level is a volume A of the one hundred volumes. An operation 212retrieves an encryption key for the target volume. For example, theencryption key may be retrieved from a key store configured on thesecurity manager. Specifically, the key store may be configured to havedifferent key for each volume on the networked storage resource.Subsequently, an operation 214 encrypts the data using the selected keyand an operation 216 stores the encrypted data on the target volume.

FIG. 3 illustrates example operations 300 for using the networkedstorage system disclosed herein to retrieve data from various drives ofvirtualized volumes. Specifically, the operations 300 may be implementedby a virtualized volume security manager such as those described herein.An operation 302 receives a request for retrieving data to a networkedresource, such as a cloud server having various virtualized volume. Theoperation 302 may receive a request, such as a request from a clientdevice connected with the security manager via the Internet. Anoperation 320 determines the source volume from where the data is to beretrieved. Subsequently, an operation 322 retrieves a key for the sourcevolume. An operation 324 retrieves data from the source target and usingthe key, an operation 326 decrypts the data, which is sent to the clientat operation 328.

FIG. 4 illustrates an example computing system 400 that may be useful inimplementing the volume lever security system disclosed herein. Theexample hardware and operating environment of FIG. 4 for implementingthe described technology includes a computing device, such as ageneral-purpose computing device in the form of a computer 20, a mobiletelephone, a personal data assistant (PDA), a tablet, smart watch,gaming remote, or other type of computing device. In the implementationof FIG. 4, for example, the computer 20 includes a processing unit 21, asystem memory 22, and a system bus 23 that operatively couples varioussystem components, including the system memory 22 to the processing unit21. There may be only one or there may be more than one processing units21, such that the processor of a computer 20 comprises a singlecentral-processing unit (CPU), or a plurality of processing units,commonly referred to as a parallel processing environment. The computer20 may be a conventional computer, a distributed computer, or any othertype of computer; the implementations are not so limited.

In the example implementation of the computing system 400, the computer20 also includes a security manager 410, such as the virtualized volumesecurity manager disclosed herein. The security manager 410 maycommunicate with key store 420 to control access to one or morevirtualized volumes.

The system bus 23 may be any of several types of bus structures,including a memory bus or memory controller, a peripheral bus, aswitched fabric, point-to-point connections, and a local bus using anyof a variety of bus architectures. The system memory 22 may also bereferred to as simply the memory, and includes read-only memory (ROM) 24and random access memory (RAM) 25. A basic input/output system (BIOS)26, contains the basic routines that help to transfer informationbetween elements within the computer 20, such as during start-up, isstored in ROM 24. The computer 20 further includes a hard disk drive 27for reading from and writing to a hard disk, not shown, a magnetic diskdrive 28 for reading from or writing to a removable magnetic disk 29,and solid state disk drive 30 for reading from or writing to a solidstate disk drive 31.

The computer 20 may be used to implement a volume lever security systemdisclosed herein. In one implementation, a frequency unwrapping module,including instructions to unwrap frequencies based on the sampledreflected modulations signals, may be stored in memory of the computer20, such as the read-only memory (ROM) 24 and random access memory (RAM)25, etc.

Furthermore, instructions stored on the memory of the computer 20 may beused to perform one or more operations disclosed in FIG. 4. Similarly,instructions stored on the memory of the computer 20 may also be used toimplement one or more components of FIGS. 1-3. The memory of thecomputer 20 may also one or more instructions to implement the volumelevel security system disclosed herein.

The hard disk drive 27, magnetic disk drive 28, and solid state diskdrive 30 are connected to the system bus 23 by a hard disk driveinterface 32, a magnetic disk drive interface 33, and a solid statedrive interface 34, respectively. The drives and their associatedtangible computer-readable media provide non-volatile storage ofcomputer-readable instructions, data structures, program modules andother data for the computer 20. It should be appreciated by thoseskilled in the art that any type of tangible computer-readable media maybe used in the example operating environment.

A number of program modules may be stored on the hard disk, magneticdisk 29, solid state drive 31, ROM 24, or RAM 25, including an operatingsystem 35, one or more application programs 36, other program modules37, and program data 38. A user may generate reminders on the personalcomputer 20 through input devices such as a keyboard 40 and pointingdevice 42. Other input devices (not shown) may include a microphone(e.g., for voice input), a camera (e.g., for a natural user interface(NUI)), a joystick, a game pad, a satellite dish, a scanner, or thelike. These and other input devices are often connected to theprocessing unit 21 through a serial port interface 46 that is coupled tothe system bus 23, but may be connected by other interfaces, such as aparallel port, game port, or a universal serial bus (USB). A monitor 47or other type of display device is also connected to the system bus 23via an interface, such as a video adapter 48. In addition to themonitor, computers typically include other peripheral output devices(not shown), such as speakers and printers.

The computer 20 may operate in a networked environment using logicalconnections to one or more remote computers, such as remote computer 49.These logical connections are achieved by a communication device coupledto or a part of the computer 20; the implementations are not limited toa particular type of communications device. The remote computer 49 maybe another computer, a server, a router, a network PC, a client, a peerdevice or other common network node, and typically includes many or allof the elements described above relative to the computer 20. The logicalconnections depicted in FIG. 4 include a local-area network (LAN) 51 anda wide-area network (WAN) 52. Such networking environments arecommonplace in office networks, enterprise-wide computer networks,intranets and the Internet, which are all types of networks.

When used in a LAN-networking environment, the computer 20 is connectedto the local area network 51 through a network interface or adapter 53,which is one type of communications device. When used in aWAN-networking environment, the computer 20 typically includes a modem54, a network adapter, a type of communications device, or any othertype of communications device for establishing communications over thewide area network 52. The modem 54, which may be internal or external,is connected to the system bus 23 via the serial port interface 46. In anetworked environment, program engines depicted relative to the personalcomputer 20, or portions thereof, may be stored in the remote memorystorage device. It is appreciated that the network connections shown areexample and other means of communications devices for establishing acommunications link between the computers may be used.

In an example implementation, software or firmware instructions for thepower security manager 410 may be stored in system memory 22 and/orstorage devices 29 or 31 and processed by the processing unit 21. One ormore instructions for virtualized volume level security scheme and datamay be stored in system memory 22 and/or storage devices 29 or 31 aspersistent data-stores.

In contrast to tangible computer-readable storage media, intangiblecomputer-readable communication signals may embody computer readableinstructions, data structures, program modules or other data resident ina modulated data signal, such as a carrier wave or other signaltransport mechanism. The term “modulated data signal” means a signalthat has one or more of its characteristics set or changed in such amanner as to encode information in the signal. By way of example, andnot limitation, intangible communication signals include wired mediasuch as a wired network or direct-wired connection, and wireless mediasuch as acoustic, RF, infrared and other wireless media.

In addition to methods, the embodiments of the technology describedherein can be implemented as logical steps in one or more computersystems. The logical operations of the present technology can beimplemented (1) as a sequence of processor-implemented steps executingin one or more computer systems and/or (2) as interconnected machine orcircuit modules within one or more computer systems. Implementation is amatter of choice, dependent on the performance requirements of thecomputer system implementing the technology. Accordingly, the logicaloperations of the technology described herein are referred to variouslyas operations, steps, objects, or modules. Furthermore, it should beunderstood that logical operations may be performed in any order, unlessexplicitly claimed otherwise or unless a specific order is inherentlynecessitated by the claim language.

Data storage and/or memory may be embodied by various types of storage,such as hard disc media, a storage array containing multiple storagedevices, optical media, solid-state drive technology, ROM, RAM, andother technology. The operations may be implemented in firmware,software, hard-wired circuitry, gate array technology and othertechnologies, whether executed or assisted by a microprocessor, amicroprocessor core, a microcontroller, special purpose circuitry, orother processing technologies. It should be understood that a writecontroller, a storage controller, data write circuitry, data read andrecovery circuitry, a sorting module, and other functional modules of adata storage system may include or work in concert with a processor forprocessing processor-readable instructions for performing asystem-implemented process.

For purposes of this description and meaning of the claims, the term“memory” means a tangible data storage device, including non-volatilememories (such as flash memory and the like) and volatile memories (suchas dynamic random access memory and the like). The computer instructionseither permanently or temporarily reside in the memory, along with otherinformation such as data, virtual mappings, operating systems,applications, and the like that are accessed by a computer processor toperform the desired functionality. The term “memory” expressly does notinclude a transitory medium such as a carrier signal, but the computerinstructions can be transferred to the memory wirelessly.

The above specification, examples, and data provide a completedescription of the structure and use of example embodiments of thedisclosed technology. Since many embodiments of the disclosed technologycan be made without departing from the spirit and scope of the disclosedtechnology, the disclosed technology resides in the claims hereinafterappended. Furthermore, structural features of the different embodimentsmay be combined in yet another embodiment without departing from therecited claims.

What is claimed is:
 1. A networked data storage system, comprising: a plurality of virtualized volumes, respective data stored on each of the plurality of virtualized volumes being encrypted using a different key for each of the virtualized volumes and messages to each of the virtualized volumes using a different encryption key for respective ones of the plurality of virtualized volumes, the virtualized volumes being distributed across two or more physical storage drives; a key store configured to store a plurality of encryption keys, each of the plurality of encryption keys relating to one of the plurality of virtualized volumes; a security manager configured to: receive a request from a client to store data to a network resource comprising a plurality of virtualized volumes, determine an identity of a target virtualized volume, determine an encryption key used to encrypt data to the one of the plurality of virtualized volumes, request an encryption key from the key store based on the identity of the target virtualized volume, and encrypt a message to the target virtualized volume comprising the data using the encryption key from the key store, wherein respective messages to each of the plurality of virtualized volumes are encrypted using a different one of the plurality of encryption keys corresponding to the virtualized volume to which the respective messages are sent; and a first virtualized volume comprising the target virtualized volume that is operative for storing data of the message on a first physical storage drive and encrypting the data using a first key comprising the requested encryption key, and data on the first virtualized volume that is stored on a second physical storage drive is also encrypted using the first key.
 2. The networked data storage system of claim 1, wherein the key store is a local key store configured with the security manager.
 3. The networked data storage system of claim 1, wherein the key store is configured remotely from the security manager.
 4. A networked data storage system, comprising: a plurality of virtualized volumes, respective data stored on each of the plurality of virtualized volumes being encrypted using a different key for each of the virtualized volumes and messages to each of the virtualized volumes using a different encryption key for respective ones of the plurality of virtualized volumes, the virtualized volumes being distributed across two or more physical storage drives; a first virtualized volume storing data on a first physical storage drive and encrypting the data using a first key, and data on the first virtualized volume that is stored on a second physical storage drive is also encrypted using the first key, the first virtualized volume receiving a message with the data encrypted with the first key; a key store configured to store a plurality of encryption keys, each of the plurality of encryption keys relating to one of the plurality of virtualized volumes; and a security manager configured to: receive a request from a client to store data to a network resource comprising a plurality of virtualized volumes, determine an identity of a target virtualized volume, request and retrieve an encryption key from the key store to encrypt the data, encrypt a message to the targeted virtualized volume comprising the data to the target virtualized volume, and store the data using the encryption key on the target virtualized volume.
 5. The networked data storage system of claim 4, wherein each of the plurality of virtualized volumes is configured to have a private key corresponding to the one of the plurality of public keys of the key store.
 6. The networked data storage system of claim 4, wherein each of the two or more physical storage drives is a self-encrypting drive (SED).
 7. A method of secure communication with storage devices, comprising: receiving, at a virtualized volume security manager, a request from a client to store data to a network resource comprising a plurality of virtualized volumes, wherein respective data stored on each of the plurality of virtualized volumes is encrypted using a different key for each of the virtualized volumes and for messages to each of the virtualized volumes using a different encryption key for respective ones of the plurality of virtualized volumes, the virtualized volumes being distributed across two or more physical storage drives; determining, by the virtualized volume security manager, an identity of a target virtualized volume; determining, by the virtualized volume security manager, an encryption key used to encrypt data to the target virtualized volume; requesting, by the virtualized volume security manager, the encryption key from a key store configured to store a plurality of encryption keys, each of the plurality of encryption keys relating to one of the plurality of virtualized volumes, wherein the requesting the encryption key is based on the identity of the target virtualized volume; retrieving, by the virtualized volume security manager, the encryption key from the key store that is associated with the target volume level for storage of data in the target volume and for messages directed to the targeted volume; encrypting, by the virtualized volume security manager, the data using the encryption key; encrypting, by the virtualized volume security manager, a message to the target virtualized volume comprising the data using the encryption key from the key store, wherein respective messages to each of the plurality of virtualized volumes are encrypted using a different one of the plurality of encryption keys corresponding to the virtualized volume to which the respective messages are sent; and storing the data encrypted with the encryption key on in a first virtualized volume comprising the target virtualized volume that is operative for storing data of the message on a first physical storage drive and encrypting the data using a first key comprising the requested encryption key, and data on the first virtualized volume that is stored on a second physical storage drive is also encrypted using the first key.
 8. The method of claim 7, wherein the retrieving the encryption key associated with the target virtualized volume further comprises retrieving the encryption key from the key store configured remotely from virtualized volume security manager.
 9. The method of claim 7, wherein the two or more of a plurality of physical drives associated with the target volume level are self-encrypting drives (SEDs).
 10. The method of claim 7, wherein each of the plurality of virtualized volumes is configured to have a private key corresponding to the one of the plurality of public keys of the key store.
 11. The method of claim 7, further comprising: receiving, at the virtualized volume security manager, a request to retrieve data from the one of the plurality of virtualized volumes; determining target volume level for data retrieval; and retrieving the encryption key associated with the target volume level.
 12. The method of claim 11, further comprising determining the two or more of the plurality of physical drives associated with the target volume level and retrieving data from the one or more of the plurality of physical drives associated with the target volume level.
 13. The method of claim 12, wherein decrypting the data retrieved from the two or more of the plurality of physical drives associated with the target volume level using the encryption key associated with the target volume level. 